Detect potential file enumeration activity ASIM Web Session
| Id | b3731ce1-1f04-47c4-95c2-9827408c4375 |
| Rulename | Detect potential file enumeration activity (ASIM Web Session) |
| Description | This detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes |
| Severity | Medium |
| Tactics | Discovery CommandAndControl CredentialAccess |
| Techniques | T1083 T1071 T1110 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml |
| Version | 1.0.0 |
| Arm template | b3731ce1-1f04-47c4-95c2-9827408c4375.json |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let HTTPErrorCode=dynamic(["404"]);
let threshold = 10; // You can update this threshold to the value that suites your environment
// let FileNotFoundRequests =
_Im_WebSession (starttime=ago(1h))
| where EventResultDetails in~ (HTTPErrorCode)
// Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL
| where HttpRequestMethod =~ "GET" and Url contains "/"
| summarize
RequestCount = count(),
FileCount=dcount(Url),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
RequestURLs = make_set(Url, 100),
DestinationIPList=make_set(DstIpAddr, 100)
by SrcIpAddr, SrcUsername, SrcHostname, DstHostname
| where RequestCount > threshold // Adjust the threshold as per your requirements
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml
customDetails:
EventStartTime: EventStartTime
RequestCount: RequestCount
RequestURLs: RequestURLs
FileCount: FileCount
DestinationIPList: DestinationIPList
EventEndTime: EventEndTime
status: Available
id: b3731ce1-1f04-47c4-95c2-9827408c4375
alertDetailsOverride:
alertDescriptionFormat: User generated multiple requests '{{RequestCount}}' that has resulted in error code '404', suggesting the possibility of file enumeration activity. It's important to investigate the source and patterns of these extensive 404 errors to identify potential security threats. Details about this error code could be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status)
alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed with performing file enumeration activity
query: |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let HTTPErrorCode=dynamic(["404"]);
let threshold = 10; // You can update this threshold to the value that suites your environment
// let FileNotFoundRequests =
_Im_WebSession (starttime=ago(1h))
| where EventResultDetails in~ (HTTPErrorCode)
// Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL
| where HttpRequestMethod =~ "GET" and Url contains "/"
| summarize
RequestCount = count(),
FileCount=dcount(Url),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
RequestURLs = make_set(Url, 100),
DestinationIPList=make_set(DstIpAddr, 100)
by SrcIpAddr, SrcUsername, SrcHostname, DstHostname
| where RequestCount > threshold // Adjust the threshold as per your requirements
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
tags:
- SchemaVersion: 0.2.6
Schema: WebSession
description: |
'This detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes'
name: Detect potential file enumeration activity (ASIM Web Session)
relevantTechniques:
- T1083
- T1071
- T1110
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DstHostname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SrcHostname
triggerThreshold: 0
severity: Medium
requiredDataConnectors: []
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
tactics:
- Discovery
- CommandAndControl
- CredentialAccess
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3731ce1-1f04-47c4-95c2-9827408c4375')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3731ce1-1f04-47c4-95c2-9827408c4375')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "User generated multiple requests '{{RequestCount}}' that has resulted in error code '404', suggesting the possibility of file enumeration activity. It's important to investigate the source and patterns of these extensive 404 errors to identify potential security threats. Details about this error code could be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status)",
"alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed with performing file enumeration activity"
},
"alertRuleTemplateName": "b3731ce1-1f04-47c4-95c2-9827408c4375",
"customDetails": {
"DestinationIPList": "DestinationIPList",
"EventEndTime": "EventEndTime",
"EventStartTime": "EventStartTime",
"FileCount": "FileCount",
"RequestCount": "RequestCount",
"RequestURLs": "RequestURLs"
},
"description": "'This detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes'\n",
"displayName": "Detect potential file enumeration activity (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DstHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml",
"query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet HTTPErrorCode=dynamic([\"404\"]);\nlet threshold = 10; // You can update this threshold to the value that suites your environment\n// let FileNotFoundRequests = \n_Im_WebSession (starttime=ago(1h))\n| where EventResultDetails in~ (HTTPErrorCode)\n// Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL\n| where HttpRequestMethod =~ \"GET\" and Url contains \"/\"\n| summarize\n RequestCount = count(),\n FileCount=dcount(Url),\n EventStartTime=min(TimeGenerated),\n EventEndTime=max(TimeGenerated),\n RequestURLs = make_set(Url, 100),\n DestinationIPList=make_set(DstIpAddr, 100)\n by SrcIpAddr, SrcUsername, SrcHostname, DstHostname\n| where RequestCount > threshold // Adjust the threshold as per your requirements\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"Discovery"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1071",
"T1083",
"T1110"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}